rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2d22c7100c
ipa/freeipa-3.0.0.pre1-048-fix-validator-for-selinux-user-map-settings-in-confi.patch
Martin Kosek 3c91c125af Add missing 3.0.0 beta 2 development patches
2012-08-06 18:17:49 +02:00

117 lines
5.6 KiB
Diff
Raw Blame History

From e345ad12eb05e53246c2eca54616f9001765c291 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 24 Jul 2012 22:55:27 -0400
Subject: [PATCH 48/79] Fix validator for SELinux user map settings in config
plugin.
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).
One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.
https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
---
ipalib/plugins/config.py | 35 +++++++++++++++++++--------------
tests/test_xmlrpc/test_config_plugin.py | 28 ++++++++++++++++++++++++++
2 files changed, 48 insertions(+), 15 deletions(-)
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index c8230e23a779163bca447594206a65b6062d4b37..d632e2edf964919c4f99ee509b31e3bea7d373a3 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -250,30 +250,35 @@ class config_mod(LDAPUpdate):
error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
% dict(obj=obj, attr=obj_attr))
- if 'ipaselinuxusermapdefault' in options and options['ipaselinuxusermapdefault'] is None:
- raise errors.ValidationError(name='ipaselinuxusermapdefault',
- error=_('SELinux user map default user may not be empty'))
-
- # Make sure the default user is in the list
- if 'ipaselinuxusermapdefault' in options or \
- 'ipaselinuxusermaporder' in options:
+ # Combine the current entry and options into a single object to
+ # evaluate. This covers changes via setattr and options.
+ # Note: this is not done in a validator because we may be changing
+ # the default user and map list at the same time and we don't
+ # have both values in a validator.
+ validate = dict(options)
+ validate.update(entry_attrs)
+ if ('ipaselinuxusermapdefault' in validate or
+ 'ipaselinuxusermaporder' in validate):
config = None
- if 'ipaselinuxusermapdefault' in options:
- defaultuser = options['ipaselinuxusermapdefault']
+ failedattr = 'ipaselinuxusermaporder'
+ if 'ipaselinuxusermapdefault' in validate:
+ defaultuser = validate['ipaselinuxusermapdefault']
+ failedattr = 'ipaselinuxusermapdefault'
else:
config = ldap.get_ipa_config()[1]
- defaultuser = config['ipaselinuxusermapdefault']
+ defaultuser = config['ipaselinuxusermapdefault'][0]
- if 'ipaselinuxusermaporder' in options:
- order = options['ipaselinuxusermaporder']
+ if 'ipaselinuxusermaporder' in validate:
+ order = validate['ipaselinuxusermaporder']
+ userlist = order.split('$')
else:
if not config:
config = ldap.get_ipa_config()[1]
order = config['ipaselinuxusermaporder']
- userlist = order[0].split('$')
+ userlist = order[0].split('$')
if defaultuser not in userlist:
- raise errors.ValidationError(name='ipaselinuxusermaporder',
- error=_('Default SELinux user map default user not in order list'))
+ raise errors.ValidationError(name=failedattr,
+ error=_('SELinux user map default user not in order list'))
return dn
diff --git a/tests/test_xmlrpc/test_config_plugin.py b/tests/test_xmlrpc/test_config_plugin.py
index da549bfb3efb56b05546ba32e7ce57414a586160..6d83f047e0e647270712003d77c40f3c1014f90f 100644
--- a/tests/test_xmlrpc/test_config_plugin.py
+++ b/tests/test_xmlrpc/test_config_plugin.py
@@ -60,4 +60,32 @@ class test_config(Declarative):
expected=errors.RequirementError(name='ipausersearchfields'),
),
+ dict(
+ desc='Try to set invalid ipaselinuxusermapdefault',
+ command=('config_mod', [],
+ dict(ipaselinuxusermapdefault=u'unknown_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
+ ),
+
+ dict(
+ desc='Try to set invalid ipaselinuxusermapdefault with setattr',
+ command=('config_mod', [],
+ dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
+ ),
+
+ dict(
+ desc='Try to set invalid ipaselinuxusermaporder',
+ command=('config_mod', [],
+ dict(ipaselinuxusermaporder=u'notfound_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermaporder', error='SELinux user map default user not in order list'),
+ ),
+
+ dict(
+ desc='Try to set new selinux order and invalid default user',
+ command=('config_mod', [],
+ dict(ipaselinuxusermaporder=u'$xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', ipaselinuxusermapdefault=u'unknown_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
+ ),
+
]
--
1.7.11.2
Reference in New Issue View Git Blame Copy Permalink